episode 5

How’s your appetite for risk, asks Alan Kohler AM. He speaks with Siobhan McKenna, director of Woolworths and Nova Entertainment, executive chair of Foxtel, Fox Sports and Sky News, and Peeyush Gupta AM FAICD, director of NAB, SBS and Link Group, and chair of Charter Hall Long WALE REIT, in Episode 5 of Directors on Digital, brought to you by Microsoft and Company Director, the member magazine of the AICD.


In the wake of the pandemic, boards have a much more acute awareness of long-term risks. In this episode, we look at how boards are reassessing the risks required to create value in the digital world and how they can better negotiate the issues. 


Guest 1: Siobhan McKenna, director of Woolworths and Nova Entertainment, executive chair of Foxtel, Fox Sports and Sky News

Guest 2: Peeyush Gupta, director of NAB, SBS and Link Group, and chair of Charter Hall Long WALE REIT.


Listen and subscribe: Apple Podcasts | Spotify


Alan Kohler: This episode was recorded on the lands of the Gadigal people of the Eora Nation and we’d like to pay respects to Elders past, present and emerging. 


Welcome back to Directors on Digital, a podcast from Microsoft and Company Director magazine where Australia’s leading company directors sit down to share their experiences and insights in driving digital innovation on their boards.


I’m Alan Kohler and in this episode, we explore the tricky terrain of risk, and how boards can reframe the conversation around risk taking.


As AICD CEO and managing director Angus Armour wrote in a recent issue of Company Director magazine: ‘Not taking a position is taking a position... Not taking a risk is taking a risk.’ In other words, seeking to avoid risk can be just as damaging to a company’s success as taking on too much risk. 


So how does a board tread the high wire between risk and reward?


To explore this, I sat down with Siobhan McKenna, executive chairman of Foxtel, Fox Sports and Sky News, as well as a director of Woolworths and Nova Entertainment, and Peeyush Gupta, chairman of Charter Hall's Long WALE Reit and a director of NAB, SBS and Link Group.


Peeyush Gupta:  “The challenge for many companies, particularly incumbent companies, around the digital transformation is your starting position often is not a great one.”


Siobhan McKenna: “The threat of digital disruption was and is a real and present danger.”


Alan Kohler: We discuss the issues when competition can come from anywhere.

Peeyush Gupta: “You can be a startup in a garage, and you can challenge someone many thousands of kilometres away - data, personalisation, insights, analytics, all of those things become feasible. Geography drops away.”

Alan Kohler: And define what it is that makes a ‘risk intelligent’ board.

Siobhan McKenna: “Having that portfolio approach allows companies to not swing too wildly between extremely low risk strategies and extremely high risk strategies...”

Alan Kohler: So let’s jump in as I begin by asking Peeyush about the role of the board in defining a company's risk appetite.

Peeyush Gupta: You do have to reflect upon what the immediate priorities for the company are. Two things impact on that. The one is the context of the company, that is to say its industry structure, its competitors, its starting position, its differentiation. Strategic elements, if you like. That should inform your risk appetite. And the second is the collective and the individual risk appetites of the management and the directors, because you do bring your own individual biases or orientation. It’s a synthesis of those two things that I think kind of set the overall risk appetite for any enterprise. 

Often in private companies, you’ll have shareholders with a longer term time horizon and you’ll probably have a more stable group of shareholders. In a public company, shareholders come and go and, really, as a director, your obligation is to the company and towards creating sustainable value. And so you need to think about risk in that context.


Alan Kohler: So how do you reflect on the balance between pulling on the reins as it were and pushing the company forward? The balance between risk and strategy?

Peeyush Gupta: The opposite side of the coin to risk is opportunity. So risk isn’t only about assessing downside risk and from a compliance and avoiding making mistakes. It’s as much about intelligent risk management as about intelligently seeking opportunities. Often people think of, say, entrepreneurs as risk takers. Nothing further from the truth. Good entrepreneurs are good risk managers. So for any company, it’s about risk management, it’s about the right amount of risk for the context of the company at the time.

Alan Kohler:  And Siobhan, how would you describe a risk intelligent board, a board that approaches it, as Peeyush says, intelligently?

Siobhan McKenna: I think of strategic risks as being a portfolio across a company. Within a company one might have one particular area where one is prepared to take, as a board, much more risk while at the same time managing another part of the company in quite a risk-free way. That’s something I see a lot with incumbents that are often large and publicly listed is that there will be a strong cash generative business that needs to be managed along quite thoughtfully and perhaps less risk taken because community expectations or supplier expectations. However, there can be other parts of the company that have the opportunity to take much greater risk because they’re attacking a new segment or a new type of customer or a new geography. And so within the portfolio of the lines of business of the company, there will be different levels of risk. The board actually being conscious of that is an important factor in setting the risk appetite of the company as a whole.

I think having that portfolio approach allows companies to not swing too wildly between extremely low risk strategies and extremely high risk strategies. It’s a portfolio effect.


Alan Kohler: One of the kinds of context of the risk we’re talking about in this series is the digital transformation. Your two main directorships, I guess, Foxtel and Woolworths, are both full steam ahead with digital now, but was there a time when either or both of them were worried about it cannibalising their existing business with, in the case of Woolworths, online shopping and, in the case of Foxtel, streaming services and could see the disruption coming, but was trying to manage the combination of risk and what was clearly going on?


Siobhan McKenna: In both Woolworths and in Foxtel, the threat of digital disruption was and is a real and present danger. Certainly Foxtel, over its 20 year journey, probably should have moved to embrace streaming earlier than it did. It was quite clear, I think, several million Australians had VPNs based out of the US so that they could watch Netflix. So the streaming revolution had already started. 


So, while Foxtel was first to the market globally with a multi-sport streaming solution, it was actually quite late to the market with the launch of Binge and its entertainment streaming product. So should it have moved potentially earlier? Well, yes, and it failed to do so, but of course the threat of cannibalisation for existing management and existing shareholders is terribly confronting.


Alan Kohler:  Can you take us through the risks that you had to manage at that time?


Siobhan McKenna:  Within the Foxtel context, Foxtel had about 30 per cent penetration of Australian households with its Foxtel box product, which is an excellent premium service, but it bought content for that service and was then unable to deploy it across the 70 per cent of households in Australia who didn’t have and don’t have Foxtel. So it was actually about the company recognising it could be an attacker to attack the 70 per cent of the market it didn’t have customers in with new products that did not look like the Foxtel product.


Alan Kohler: But was there a risk of losing what you already had?


Siobhan McKenna:  Of course, and that was one of the main topics of conversation is, ‘Well, gosh, will everybody wake up on the first day of Kayo and say, Oh, I'm going to cease my Foxtel subscription and buy Kayo instead.’ And so, yes, a lot of time and energy was spent thinking through how to manage that risk. And we’ve now got more than a million paying Kayo subscribers, and there’s been very little cannibalisation of the Foxtel base, but that’s because the risks were very thoughtfully managed. The products are quite different, the branding is quite different. The way customers are targeted to buy the product is quite different.


Alan Kohler: And did you start that process with a risk assessment, a risk appetite statement? 

Siobhan McKenna:  A risk appetite statement is quite a specific thing now in Australian governance terms. We didn’t do one that looked like that, which is the more regulatory framework that we’re now becoming very familiar with as directors in public listed companies. It was much more of a focus around the practicalities of execution. What would we do? 


It’s a day to day, month to month proposition managing all new business initiatives, Woolworths, to use another example, could see Amazon making such inroads in almost every geography that it entered.


And for Woolworths, we have a large distributed property footprint in Australia, is that a liability or is it an asset? Well, we decided it was an asset. And so we investigated whether click and collect, where you’d go into the store physically would work better, or whether delivery into the boot through a drive-through would work better or whether home delivery would work and whether it’s next day home delivery or one hour home delivery, all of those things need to be tested and one tests them because one wants to make money, but also one tests them to see where the risks inherent in them are. And my observation would be, people love to think about risk as being binary, but it is indeed not.


Alan Kohler: 

Peeyush, a lot of what Siobhan’s been talking about is, those sharp decisions that Woolworths and Foxtel had to make underlying, that was risk assessment. My impression with NAB and banking is that Commonwealth Bank has been more aggressive than NAB in embracing online banking. I don’t know if that’s right or not, whether you think that's correct. Firstly, is that right, do you think, and if so, is that because of a difference in risk appetite?


Peeyush Gupta: 

I would broadly observe about the Australian banking industry that the extent of online functionality that is available to Australians is actually very good by world standards. And that’s across all of the majors and including the other banks as well.


Often Australian industry often exhibits oligopolistic industry structures. And if you’re the ACCC, you might not think that’s a good thing, but I actually do think that sometimes you can deliver utility to customers from having more concentrated structures. In what other country can you march up to any ATM and get your cash out, irrespective of who you bank with, right? So, that’s a function of the digitalisation of all of the banks in this country. And, it's led to a better customer experience. 


Alan Kohler: What sort of risk assessment did the NAB have to make in terms of dealing with that transition from branches to online banking and were there risk issues that had to be dealt with?

Peeyush Gupta:  Absolutely. I think what customers want is really a seamless omni-channel experience. Whether it’s a physical location, such as a bank branch or a store, whether it’s ringing your call centre, whether it’s online through an app and whether it’s through email and correspondence, customers wish to be known, because if they’d been transacting with your company, they expect that you will know something about them rather than having to regurgitate basic facts over and over again.


And that’s indeed one of the challenges in creating a seamless online customer experience. You can more easily architect within one channel a relatively good experience, but connecting it all becomes a challenge. In the case of banks there is a tension between customers migrating to the online digital self service channel, which means that branch traffic falls off significantly. And then you’ve got to look at the economics.


Alan Kohler:  You’re on the NAB credit risk committee. And I imagine most of the risk that you deal with is credit risk. And I wonder whether there’s often a confusion between business risk and credit risk.

Peeyush Gupta: Credit risk is fundamental to banking. And so there’s very well developed processes and policies around articulating the risk appetite around how much credit risk you want in aggregate, how much you want by industry sector, by geography, et cetera. That’s largely actually devolved. Bank boards don’t sit around and actually approve or review individual loans. Thank goodness, Alan.


But, certainly, one of the risk categories that the risk committee would regularly receive reports on is credit risk, but there’s a lot of other buckets of risk and there’s operational risk and legislative risk and customer sort of breaches, interest rate risk, et cetera. Credit is just one of those categories of risk, but within the bank that’s sort of its core to its DNA.

Alan Kohler: With both our guests involved across multiple businesses Australia wide, I checked in with  Peeyush about how he thinks Australia is faring...

Peeyush Gupta: I think Australia’s challenges are probably not that much different to businesses around the world. Given that this series of podcasts is about digital transformation might be worthwhile just reflecting on economics 101, the factors of production, land, labor, capital, technology, and customer preferences, underpinning digital transformation is the changes in technology, but also changes in customer preferences.

To devise strategy, you need to look at both of those components. In the technology area, we now have the internet, we’ve now got the mobile phone, we’ve now got Cloud, those three things together mean that data, personalisation, insights, analytics, all of those things become feasible. Geography drops away. If you’re a retailer now, for example, in Australia, are you really competing only with local retailers? No.

You’re presumably competing with people around the world? So there are some unique opportunities, but also challenges going back to risk being both an opportunity and a threat that I think the digital revolution brings. You can be a startup in a garage, and you can challenge someone many thousands of kilometres away.

We are a small economy and population. Sometimes that means that the amount of capital that we have available towards orchestrating large scale investments in foundational investments can sometimes put us at a relative disadvantage. But, overall, I think the fact that the digital revolution does open up the world for us probably means that there’s more opportunity than constraints.

Alan Kohler: And how important is it, do you think, for the board to maintain oversight through a transformation of any company, and how does it do that?

Peeyush Gupta: If you pursue any technology for technology’s sake, you’ll probably end up with a disappointing outcome. The strategy has to be rooted in clarity around what the business objective is. Is it an uplifting customer service? Is it a reduction in unit cost? Is it improvement in compliance through reg tech? There can be many business drivers that you could utilise digital transformation to drive.

The first thing you need to do is to be clear on what are the outcomes that you want grounded in some business metrics and so on. The challenge for many companies, particularly incumbent companies around the digital transformation, is your starting position often is not a great one. You’re operating off legacy systems, which are probably not in the Cloud. They’re probably, if I take the banking sector as an example, each of the domestic banks has many thousands of systems in their ecosystem, thousands, and they’re all interconnected.

You try moving that spaghetti now to the Cloud and so on, you can’t do it in one fell swoop. And that’s where the role of APIs, which are computer calls that you can make deliberate data and so on, microservices. So you start to manage your legacy systems by reducing the size of them. In a sense you eat the elephant one nibble at a time.  Transitioning to Cloud using these modern sort of technologies while not being bound by your legacy systems, it’s a multi-year journey.

One of the things that’s very important for a digital transformation is to ensure that you fund a multi-year transformation. Often many companies will sort of zero baseline their budget and the funding slate, the investment slate becomes contestable every year. Some of the things that are necessary to successfully enact digital transformation do require multi-year funding.

Alan Kohler: How many years? And are you saying the board has to commit for that number of years?

Peeyush Gupta: The answer is absolutely yes. Cycle times in business have come down. When we all did economics way back when, you sort of used to talk about the business cycle being seven years or whatever. Well, these days business cycles are a lot shorter. So it’s somewhere between, I’d say, three years practically speaking before you kind of reevaluate, but in my experience annual funding slates for digital transformation tend not to work because you get whipsawed too often.

Alan Kohler: And Siobhan, during that period, how do you hold management to account? Do you have any tips?

Siobhan McKenna: Well, I think most boards do the sensible thing, which is there’ll be an agreement at the beginning to fund a strategic project as a Peeyush says. And that generally, especially with digital, is a multi-year commitment. One can’t allow CapEx decisions to be made in an annual budget cycle. And then you can’t actually just let it go and hope that it’s going to be as described in the business case that the board signed off on. There’s likely to be six monthly or at least annual reviews of what have we learned, what’s changed, what are the competitors doing? Do we need to change focus? And therefore just that regular review and it’s not gating of funding, but it's making sure that whatever is being built is still fit for purpose.

Alan Kohler: And what if it’s difficult to actually come up with a return on investment because you’re actually in defense mode and you’re trying to invest to stop someone taking your business away?

Siobhan McKenna: Absolutely. And that stay in business CapEx. And we had an experience at Woolworths, which is in the public domain. When I joined the board about five years ago, a lot of CapEx had been spent creating and trying to establish the Masters business. And that required from the Woolworths Group perspective, a diversion of what I would characterise a stay in business CapEx in the supermarkets, which is the annual cycle of you’ve got a thousand stores and guess what? One  hundred of them every year need their refrigeration done. And you’re on an annual cycle of doing that or the air conditioning, whatever it happens to be, but some of that stay in business CapEx had... a large amount of it had been redirected towards Masters, which was a growth opportunity. And what that created was effectively a CapEx debt that needed to then be rectified within the supermarkets business.

Alan Kohler:  Because Masters didn’t work.

Siobhan McKenna: Well, Masters didn’t work and come hell or high water, to run a supermarket you need freezers that work. So much in the same way that if you start digital transformation and you decide that customer data is an important asset and it needs to be put into a data lake that has appropriate governance and rules around it, where definitions of data types are made to be able to talk to each other, doing that as you said, Alan, isn’t going to have an immediate ROI. It’s building an asset that then there’ll be business cases or use cases that hang off where people will say, ‘Yes, I can use the data lake in this way for a certain customer application,’ but creating a proper data platform for customer information through digital, as Peeyush has been saying, there's not going to be an immediate ROI on that. And that can be very confronting, but it doesn't mean it’s not stay in business CapEx.

Alan Kohler: One of the things that interests me about Woolworths and its digital transformation was that as I understand it, Woolworths made a decision to fulfill online shopping from the stores, whereas Coles made a decision to do it from big distribution centers. They were quite different ideas. Was that decision of Woolworths based on a risk assessment or something else?

Siobhan McKenna: I know the intimate details or the answer to that question, but I’m slightly unsure how much Woolworths has said publicly about that. My observation would be though, in general terms, that Australia has a small population of a very wide population, and to get a US size or UK size distribution centre that’s automated, requires a very large throughput of orders. The advantage of using your store footprint is that you could probably do deliveries in the next hour or the next hour and a half and guarantee that delivery. And what that does is mean that maybe 10 per cent of the people in a store at any one time are people picking off the shelves for online delivery. So it’s a risk assessment around, well, will customers prefer next day delivery and a lower potential cost because it’s been through a big DC, or will customers prefer delivery immediately? And so that’s a philosophical question or a strategic question that supermarkets the world over are having to face.

Alan Kohler: Now you're reconfirming what I thought when I saw the differences. I thought that looks like Woolworths is making a smaller bet, or a series of smaller bets, whereas Coles is making big bets on distribution centers. And I thought that was so interesting. 

Siobhan McKenna: You keep talking, I probably can’t say anymore.

Alan Kohler: I do want to ask you something else about Woolworths. Because Woolworths invested in a business called Quantium.

Siobhan McKenna: Yes.

Alan Kohler: Which is a data business. So I wonder to what extent that is about creating a business in itself, and to what extent is it about managing Woolworths’ own data?

Siobhan McKenna: Look, again, I know the intimate answer to that question, but I don't know how much Brad Banducci, our excellent CEO, has said about that publicly. But my observation would be that Quantium was set up to do data analytics, but they needed some consumer data to actually run their business and they, Peeyush, have NAB data. And they also had Woolworths data and actually they had Foxtel data. 

Quantium has, and had, just excellent data scientists and data engineers who were able to get extraordinary insights from these multiple data sets and like any data business, they were able to make money from selling those insights to others. And what has become apparent is that if I look at the NAB, for example, the NAB probably needs its own set of data scientists and data engineers who can look at all of the NAB data, all of its customer information. It’s when people spend money, how people spend money, all of those sorts of questions, and analyse it so that they, NAB, can serve their own customers better because they can do it brilliantly.

Woolworths main value from Quantium is making its own business better, being able to predict what customers do and what they don’t like, determine what new products to launch, all of those sorts of things.

Alan Kohler: Peeyush, you mentioned a couple of times now about the number of systems that the bank has, and I’ve heard this often about banks, but also big retailers like Woolworths, all these different systems they don’t talk to each other. Is that a failure of risk management in the past, that the management of the company - and perhaps the board as well - didn’t think as these systems were bought: ‘actually maybe we’d be better off, better if we didn’t buy a whole lot of different systems?’

Peeyush Gupta: No, it’s a good question. And I think, yes, I think you could characterise it perhaps as a blind spot in risk management. 

Maybe boards need to interrogate a little bit more about what the ongoing costs of not merely maintenance of that system, but the connectivity costs to other parts of your general ledger or your web interface or whatever it might be, so total cost of ownership.

But as much of a failure risk management, I think it’s probably more the case that there has been product and service line proliferation in large companies, which in today’s world are no longer economic. The first thing you need to do is to simplify. You need to rationalise your products to really go back down to the core 20 per cent that are probably generating 80 per cent of the profit, frankly. So it’s the old thing. Never automate something till you’ve simplified it first. So, simplify your go-to market, product and service set, then automate it, digitise it, and so on.

Alan Kohler: That’s something I also hear quite often. A new CEO comes in or a new chairman and, ‘Oh, we have to simplify the business,’ has particularly been the case with Westpac, with Peter King coming in as CEO and he’s dramatically simplifying the business. I mean, are the board at NAB looking at that and thinking, ‘Hmm, maybe we’re a bit too complicated? If Westpac’s doing this, maybe we should think about that?’

Peeyush Gupta: I think we as a board and as a company have had that realisation for quite some time. Having the realisation actually executing against it, again, these are multi-year journeys. These are long complex products. You can’t walk away from your existing customer base. You have to give them a sensible path for transition, but where there’s a will, there’s a way. And so you need to apply resources and intent, and you have to persist. 

Alan Kohler: Cybersecurity, obviously this is a new element that is becoming more and more of an issue. To what extent do boards need to focus on that in terms of the risk associated with it?

Peeyush Gupta: The starting point is to do an evaluation of what your current position is. There’s a number of frameworks around. One of the more commonly used ones is NIST, the National Institute for Standards and Technology. They’ve got a five attribute schema along the lines of defend, protect, identify, repel, and remediate, or something like that. So you can get a starting position as to what your current cyber maturity is. It’s a five point scale. Most Australian companies today would be somewhere in the high twos or low threes.


This is a multi-year journey. In the context of the bank board that I sit on, we would spend many tens of millions of dollars a year on cyber securities. I sit on the board of one of our public broadcasters. We don’t have tens of millions of dollars to spend. But in that context, the amount that we spent is a small fraction, but the crown jewels, if you like, in that context that we have as a public broadcaster are far fewer. We have the email addresses and some other very few items of information on our viewers and listeners, whereas in the context of a bank, obviously, it’s much more detailed.


Peeyush Gupta: From a board perspective, you need to identify your current maturity, you need to have a view as to what is the right level of spend to protect the particular assets that you might have, because the answer is context dependent, and then you need to, again, systematically set out around upgrading your defenses. And again, it’s a multi-year journey, as long as you're making progress, that’s a good thing.

Alan Kohler: Just finally, just thinking broadly about the question of risk, I mean, how should a board and a director approach this - managing it more broadly - and think about the question of risk?

Peeyush Gupta: Look, I think largely out of the regulated industries,there’s been a series of artifacts that have emerged that are now evident in most public companies. So the risk appetite statement is a good example. I think it originally started in financial services companies because APA required one to actually formally document the risk appetite that you wanted to have.

An important issue for any company is effective communication. So, you really want your people up and down the chain to understand what risks are acceptable and what risks are not acceptable. The risk appetite statement is merely just a formal articulation of the types of risks that the company is prepared to accept. And sitting underneath the RAS often is the risk limits, which is where you granularly say, ‘Well, we are prepared to lose so much of our capital or our annual income on any risk event or operational risk event or some other risk event.’ 

But the reason I mention the issue around communication is it goes back to culture. Culture is often overlooked as a management instrument, and I think it has an overarching interlinkage with all of the things that we've talked about. So, managing your risk appetite as a company is also about having a risk-aware, risk-responsive, customer-centric and empowered culture that works hand in glove with the formal instruments that you might have to articulate and oversight risk.

Siobhan McKenna: Culture is essential. Certainly as directors, we’re reliant on the idea that,  in the case of Woolworths, 200,000 people who work at Woolworths will understand risk and do the right thing and live within the guidelines provided. 

Not only do the rules need to be in place, but the culture needs to be one where good customer decisions can be made, and when decisions can be made for team safety. And if that’s the predominant cultural setting, then on balance, the right risks will be taken or not.

Alan Kohler: I guess you never know what’s around the corner. There’s a mouse plague on in country New South Wales at the moment, and I understand the supermarkets are full of mice getting under the customer’s feet and eating the flour.

Siobhan McKenna: And probably tripping them over.

Alan Kohler: You never know what’s around the corner, do you?


Alan Kohler: That’s it for this episode of Directors on Digital. Thanks to Peeyush Gupta and Siobhan McKenna for sharing their insights on the role of risk in digital innovation.

So what did we learn about how a board treads the high wire between risk and reward?

  • Risk is not binary. So get clear with an ongoing conversation between board and management on what your risk appetite really is.

  • Boards need to interrogate the total cost of ownership. Not just the maintenance of the system, but the connectivity costs and be aware of future costs for maintaining this connectivity.

Alan Kohler: Don’t miss the final episode of Directors on Digital when I sit down with Diane Smith-Gander, AO FAICD, chair, ZipCo Limited; non-executive director, AGL Energy, HBF Health, North Queensland Airports group and Keystart Loans group. We chat about building digital capability, to obtain the final destination.

Diane Smith-Gander: “If you've got a roadmap with a set of tools that you're going to deploy to progress down the roadmap, then you've got a path to innovation.”

Alan Kohler: Wendy Stops, non-executive director at the Coles Group, Blackmores Ltd and the not-for-profit organisation Fitted for Work. 

Wendy Stops: “Because there's no point coming up with the world's greatest app if no one wants to use it and they all think it’s crap.”

Alan Kohler: And Omar Abbosh corporate vice president, Cross-Industry Solutions, Microsoft.

Omar Abbosh: “In any transformation of any company, it does take leadership conviction and real follow through to make sure that hearts and minds come along with them.”

Alan Kohler: I’m Alan Kohler, see you again next time.